also sprach Horst Pflugstaedt <Pfaedt@uni-duisburg.de> [2004.06.26.2155 +0200]: > what would be the alternative? > The security team would have to annonce "there's a possible security > flaw in package XY, we're on it, but it may take some more days to fix > it" > > What's the worth of such announcements? Users (You'd) know about a bug, but > still could not do anything about it. After all, I'd strongly object > to my web-host/ISP/Sys-Admin/... switching off > apache/php/ssh/name-whatever-tool-you-really-need because they have heard of > an yet unfixed security-problem. That's a thing of your webhoster. But if I knew of e.g. a root exploit in the HTTP part of a mission-critical server containing secret data, i want to turn it off, or take additional security precautions, like a firewall layer etc. not knowing about it doesn't mean that the "bad guys" don't know about. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <email@example.com> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature